Information security tips and tricks for both home and business users

Too Many Passwords? Time For a Password Safe.

Ballpark estimate: How many usernames and passwords do you have? If you answered, “Entirely too many!” you’re not alone.

Passwords are an ancient technology that we’ve adapted over the centuries and still use today to control access to systems and applications. With the explosion of online services over the past few years, each one maintaining it’s own set of usernames and passwords, the burden on the end user to keep track of dozens (if not hundreds) of credential sets is ridiculous.

Password reuse, the practice of using the same username and password for every site you visit, is a recipe for disaster. If an attacker compromises just one website that has your credential set poorly protected, then that attacker would have access to every single website where you’re using those same credentials. You may not care if someone compromises your Twitter password, unless you’re using that same password for your online banking service.

You’ve probably noticed that some websites let you login with credentials from other sites, like Google or Facebook. The OAuth and OpenID protocols were developed in part to help reduce the sheer number of credential sets that users need to remember (or even create). While this improves the end user experience, the risk of compromise doesn’t go away. If your centralized account is compromised, so is every other application and service that the account can access.

While the security and development communities continue to work toward a better solution, there is another option you can consider that offers both security and convenience: a password safe.

A password safe is essentially an encrypted container that contains all of your different usernames and passwords. Most users create one super-strong password to encrypt their password safe, and then they store all of their usernames and passwords inside.

The coolest feature about password safes is that you can have a different username and password for every single website that requires one, and you don’t have to remember any of them. When you visit the site, you copy the credentials from the password safe to the website, click submit, and you’re in. You can tell your password safe to create a ridiculously complex password that only Raymond Babbitt could remember, but all you need to remember is the website URL and how to copy-paste.

Depending on your level of paranoia, you could either choose a file-based password safe or a cloud-based option. Chances are that you use at least one mobile device. Depending on whether or not you use that device to access password-protected sites, you may want to make sure that the password safe you choose has mobile functionality.

Keep in mind that password safes aren’t entirely risk free. LastPass, who touts “the LAST password you’ll have to remember,” notified their users in 2011 that they needed to change their LastPass password because of a security breach. Attackers gained access to encrypted versions of the master passwords, which they had to crack in order to gain access to any of the passwords in safe. Users with strong master passwords, as well as users who changed their master passwords as soon as the breach was reported, only had to change one password in one system to keep their passwords safe. MUCH simpler than visiting every site where you’re using the same username and password and going through the password reset process.

My advice? You should check out the password safes currently on the market, free and open source, and find one that’s right for you. Here are a few links to get you started:

Use a master passphrase instead of a password. For example, Thisisaridiculouslylongpassword! is easy to remember but hard for an attacker to crack.

Be careful with your secret question answers. If any of your password reset services allow you to login by answering secret questions, don’t use answers that an attacker can find by scouring your Facebook or LinkedIn profile. If you’re wearing a Columbus Blue Jackets jersey in every picture you post online, you better believe a hacker is going to know what you answered for, “What is your favorite sport.”